mithat at adige:~$ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes ACS ACR38U-CCID 00 00 mithat at adige:~$ opensc-tool --atr Using reader with a card: ACS ACR38U-CCID 00 00 3b:9f:96:81:31:fe:45:80:67:55:45:4b:41:45:12:92:31:80:73:b3:a1:80:6a mithat at adige:~$ opensc-tool --name Using reader with a card: ACS ACR38U-CCID 00 00 Unsupported card 2016-02-25 10:45 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>: > On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote: >> >> I don't understand why I export cert to file. I think device should >> block this action because this is my e-signature cert. > > No, the non-exportable part is the private key. The certificate is > public, and declares that anyone who can prove that they have that > private key, is whoever is identified as the subject of the > certificate. > > If you go to secure web sites, you can inspect their *certificates* to > check who they are. That's kind of the point. What you can't get is > their matching private key. > > And later... > > On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote: >> Do I need specify 'type=private' to say 'use my private cert for user >> cert'? > > No, OpenConnect needs to use *both* the certificate and the > corresponding private key. It will append ';type=cert' or > ';type=private' to the URI you give it, as appropriate. Note that it > still isn't *exporting* the private key; it's using it in-place. > > TBH if OpenSC is supposed to drive this card, I really think you're > better off pursuing that approach rather than persisting with the > broken proprietary PKCS#11 token. > > Can you try > opensc-tool -l > opensc-tool --atr > opensc-tool --name > > as described in the 'Debugging OpenSC' link I gave you? > > -- > dwmw2 >
